Security is important for every website. When employees leave a project or company for whatever reason, you must review their security access to prevent potential future tampering or the loss of important data. Failure to secure your subscription after an employee departure can result in issues like the following:

• Incorrect credit card charges
• Failure to receive Cloud Platform notifications
• Account and application security breaches

Cloud Platform security steps

If you are a Cloud Platform subscriber, review the following steps to secure your websites after an employee’s departure:

• Remove the employee from your Acquia Teams

  The subscription administrator should remove the employee from all teams. If the administrator is the departing employee, the departing employee can designate a new organization owner. If this isn’t possible, create a Support ticket and copy the previous owner on the ticket for an easier transition, if possible. If the previous owner is unavailable, see Transferring ownership from an unavailable owner.

• Remove any employee-specific entries from your Users and Keys page
  • Sign in to the Cloud Platform user interface and navigate to your environment in an application.

  • Click Users and SSH Keys.

    This displays the Users and keys page.

  • Change the passwords for the private keys or generate new keys entirely.

• Remove the employee from any elevated roles on your websites

  Check any single sign-on solutions your organization uses.

• Remove the employee’s entries from the Teams and Permissions pages

  For information about how to do this, see Transferring ownership of an organization. For information about completely deleting a user account from Cloud Platform, see GDPR Data Subject Rights requests.

• Update credentials in Pipelines

  Pipelines performs jobs with the credentials of the user who first performs a Pipelines job for that subscription. If the departing employee provided the credentials for your subscription, your Pipelines jobs may fail. For more information, see User permission issues.

Drupal security

Be sure to review the following items to secure your website after an employee’s departure:

• Change any administrative passwords to which the employee had access

  Affected passwords can include the website itself, shell accounts, and phpMyAdmin.

• Review the Drupal roles and permissions

  Edit the employee’s account in your Drupal website, and change their access to a lower permission level, or set it to blocked.

  Important

  Acquia does not recommend deleting accounts as that can lead to data loss in Drupal.

• Review recent code changes

  If the parting is less than amicable, a departing individual may commit code allowing continued access to the website through a back door.

• Revoke access to servers and version control systems
• Review IP allowlists on firewalls and Apache (or your) .htaccess files

• Change the salt for your encryption

  For more information about encryption salting, see this Wikipedia article.

Best practices for team member departures